This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

I *believe* my issue is that Spring Security is using SHA-1 and my Oracle hashing algorithm is using HMAC_SHA1?

I'm not sure where to proceed from here and I'm not seeing any smoking gun statements in the logs either.

Is there a way I can tell Spring Security to call my hashing function via the injected datasource and use that to compare to what's stored as the hashed_password in the database, vs Spring Security hashing the password itself and then comparing that to what's stored in the database?

SEVERE: Servlet.service() for servlet appServlet threw exception
java.lang.IllegalArgumentException: Salt value must be null when used with crypto module PasswordEncoder
at org.springframework.util.Assert.isNull(Assert.java:89)
at org.springframework.security.authentication.dao.DaoAuthenticationProvider$1.checkSalt(DaoAuthenticationProvider.java:152)

However, if i try to implement the org.springframework.security.providers.encoding.Pa sswordEncoder interface, I get method invocation errors in my logs. I'm assuming this is because it's trying to access protected class methods?

SEVERE: Servlet.service() for servlet appServlet threw exception
java.lang.IllegalArgumentException: Salt value must be null when used with crypto module PasswordEncoder
at org.springframework.util.Assert.isNull(Assert.java:89)
at org.springframework.security.authentication.dao.DaoAuthenticationProvider$1.checkSalt(DaoAuthenticationProvider.java:152)

This interface does not allow a salt source since the method does not include salt as an argument. It uses the best practice of a secure random salt and includes it in the hashed password.

However, if i try to implement the org.springframework.security.providers.encoding.Pa sswordEncoder interface, I get method invocation errors in my logs. I'm assuming this is because it's trying to access protected class methods?

Comment

This interface does not allow a salt source since the method does not include salt as an argument. It uses the best practice of a secure random salt and includes it in the hashed password.

When used to generate a new password, I agree.

However, when I want to authenticate a login attempt, I want to get the salt I have stored in the database for that user, and then try to encrypt the password (using the stored salt in the db) and compare passwords.

This is the way I'm doing it now. Is there a better approach that doesn't require me passing in the salt? I don't see how I'd be able to do this without first retrieving my stored salt per-user when authenticating logins.

Comment

This error is different than the truncated error posted earlier. Previously there was a NullPointerException causing a problem where as now it appears that the configuration is missing a bean named passwordEncoder. You need to add your custom PasswordEncoder to your bean configuration.